Skip to content

chore(security): pin undici >=7.28.0, clear 7 advisories (v3.0.8)#39

Merged
vib795 merged 1 commit into
masterfrom
chore/security-undici-3.0.8
Jun 20, 2026
Merged

chore(security): pin undici >=7.28.0, clear 7 advisories (v3.0.8)#39
vib795 merged 1 commit into
masterfrom
chore/security-undici-3.0.8

Conversation

@vib795

@vib795 vib795 commented Jun 20, 2026

Copy link
Copy Markdown
Owner

Summary

Clears the open undici Dependabot alerts (#52 high, #53 moderate) and supersedes #38.

undici 7.25.0 reaches the build toolchain transitively via @vscode/vsce → cheerio → undicidev-scope only. undici 7.28.0 fixes seven advisories:

Advisory Severity Issue
GHSA-vmh5-mc38-953g High TLS cert validation bypass in SOCKS5 ProxyAgent
GHSA-pr7r-676h-xcf6 Moderate Cross-user disclosure via shared-cache whitespace bypass
GHSA-p88m-4jfj-68fv Moderate HTTP header injection via Set-Cookie percent-decoding
GHSA-vxpw-j846-p89q High WebSocket DoS via fragment count bypass
GHSA-hm92-r4w5-c3mj High Cross-origin routing via SOCKS5 pool reuse
GHSA-35p6-xmwp-9g52 Low Response queue poisoning via keep-alive reuse
GHSA-g8m3-5g58-fq7m Low Set-Cookie SameSite downgrade

Approach

Pinned via npm overrides to >=7.28.0 <8 (repo convention for durable transitive fixes), staying on the v7 line cheerio expects (^7.12.0) rather than letting the override pull undici 8.x and break the build tool. Resolves to undici 7.28.0.

Verification

  • npm audit: 0 vulnerabilities (full and --omit=dev)
  • typecheck / lint / 18 tests: pass
  • vsce package smoke test: clean (undici 7.28.0 works in the build tool)
  • Shipped runtime (simple-git, @octokit/rest) unchanged

Bumps version to 3.0.8 and adds the README "What's new" entry.

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Security
    • Resolved TLS validation bypass vulnerability in proxy handling
    • Fixed shared-cache cross-user disclosure vulnerability
    • Security audit now reports zero vulnerabilities

undici 7.25.0 reached the build toolchain transitively via
@vscode/vsce -> cheerio -> undici. v7.28.0 fixes seven advisories
(two high: GHSA-vmh5-mc38-953g SOCKS5 TLS validation bypass,
GHSA-pr7r-676h-xcf6 shared-cache cross-user disclosure; plus five
moderate/low). Pinned via npm overrides to >=7.28.0 <8 to stay on the
v7 line cheerio expects (^7.12.0), avoiding a major bump.

npm audit: 0 vulnerabilities (full and --omit=dev). Dev-scope only;
shipped runtime (simple-git, @octokit/rest) unchanged. Supersedes #38.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jun 20, 2026

Copy link
Copy Markdown

Review Change Stack

Caution

Review failed

Pull request was closed or merged during review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 948dd1a1-42b7-4ba7-8ff7-6c2fdda29671

📥 Commits

Reviewing files that changed from the base of the PR and between 0e8dbcc and 82e67bf.

⛔ Files ignored due to path filters (1)
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (2)
  • README.md
  • package.json

📝 Walkthrough

Walkthrough

The extension version is bumped from 3.0.7 to 3.0.8 in package.json. An npm overrides entry pins the transitive undici dependency to >=7.28.0 <8 to address TLS validation bypass and shared-cache cross-user disclosure advisories. The README changelog is updated with a matching v3.0.8 entry.

Changes

Security patch release v3.0.8

Layer / File(s) Summary
Version bump and undici override
package.json, README.md
Version field updated to 3.0.8; undici override constraint >=7.28.0 <8 added to overrides alongside the existing js-yaml override; README changelog records the security fix and npm audit result.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

A rabbit hopped in, patched the deps with care,
undici pinned tight, no advisories dare,
Version bumped up, the audit reads clean,
Zero vulnerabilities — best changelog seen!
🐇✨ npm audit approves with a happy hop!

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and specifically describes the main change: pinning undici to a specific version range to resolve security advisories, with the version number and advisory count included.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/security-undici-3.0.8

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@vib795 vib795 merged commit b2c141a into master Jun 20, 2026
1 of 2 checks passed
@vib795 vib795 deleted the chore/security-undici-3.0.8 branch June 20, 2026 17:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant